Blog

Research

ISL Finds Location-Based Advertising on Kids’ Site CoolMathGames.com

Written by Internet Safety Labs
May 8, 2024

1  Executive Summary

Last year, Internet Safety Labs (ISL) observed that CoolMathGames.com website (from CoolMath.com, LLC [referred to as “Cool Math”], owned by Sandbox Group) contained location-based behavioral advertisements.  

Using the Federal Trade Commission’s guidelines on a “child-directed” website, ISL believes CoolMathGames.com may fall under the protections afforded by the US Children’s Online Privacy Protection Rule (COPPA).  

ISL had seen Cool Math before, as it came up in our 2022 K-12 EdTech benchmark where twenty-five (3.8%) schools in the sample recommended or required Cool Math Games to students. Twenty-one (84%) of those 25 schools were elementary or middle schools (i.e. schools with children under the age of 13; see Table 8.1 for more details).  

Of note, however, there is another Cool Math site called CoolMath4Kids.com which has different ad behavior that may be compliant with COPPA. However, none of the schools in our 2022 benchmark recommended CoolMath4Kids.com.  

Both Cool Math sites utilize a COPPA Safe Harbor Certified [by KidSafe] advertising platform from Playwire, who is also listed as the “ManagerDomain” for both Cool Math websites’ ads.txt files. The ManagerDomain role is responsible for managing ads on the domain. 

    • ISL wonders what Playwire’s responsibility is in ensuring that the COPPA Certified configuration is applied to child-directed sites for which it is the manager domain in the ads.txt file.
    • ISL further questions whether an ad platform really can/should be COPPA Safe Harbor certified, since they can be easily configured as either COPPA compliant or non-compliant, as seems to be the case with the Cool Math websites. 

ISL requested that CoolMath.com, LLC / Sandbox Group modify the CoolMathGames.com site, removing the behavioral advertising [i.e. suggested that they use the seemingly COPPA compliant version of the ads.txt file]. Despite our repeated attempts, Sandbox Group did not modify the site and the behavioral ads remain on the site.  

Description of Problem(s) 

Site:  coolmathgames.com 

Number of Monthly Users:  13.03M monthly visitors.  74% from the USA, 6% each from the UK and Australia, 5% from Canada, and about 1% from New Zealand. (Source: Similarweb.com) 

Description of Problem:  While evaluating coolmathgames.com, ISL observed the presence of location based behavioral advertising and cross-site trackers uniquely identifying users (i.e. children).  

Despite being contacted several times by ISL, Sandbox Group, the parent company Cool Math Games, has not acted on ISL’s request to change the advertising behavior in CoolMathGames.com.  

3  Details 

The CoolMathGames.com homepage has multiple ads on its website. As seen below in Figure 3.1, without scrolling the page the user sees three (3) advertisements. Thus, upon loading the CoolMathGames.com webpage, viewer information is sent into the Real Time Bidding (RTB) stream as a part of filling the ad spaces on the homepage. This information includes data such as a unique user identifier, as well as geolocation information. These advertisements are not generic/contextual. The advertisement indicated “1”, contains geolocation information which is blurred for researcher privacy.  

Figure 3.1

Figure 3.2 shows the geolocation information in clear text in the website’s trafficAlong with the geolocation information, internet service provider (ISP) information is also collected and transferred.  Again, the geolocation information has been blurred for researcher privacy.

Figure 3.2

3.1  Ads.txt Files

Per the Internet Advertising Bureau (IAB) standard, any website that serves advertisements should contain an “ads.txt” file. This file can usually be found at <website>/ads.txt, and contains a list of the Authorized Digital Sellers for ads served on the website. (Note that there is also a version of Authorized Digital Sellers for mobile apps, called app-ads.txt) Figure 3.3 shows the ads.txt files for CoolMathGames.com, which indicates that the file is managed by Playwire.com. 

Figure 3.3

In network traffic, researchers saw calls to a Playwire configuration json file. Figure 3.4 shows this configuration file, with the pertinent information for CoolMathGames.com expanded. Note the presence of a “coppa” flag [set to “false”] as well as website categories including “kids” andgames_casual. Playwire offers COPPA compliant advertising services, but we can see this does not appear to be applied to CoolMathGames.com, despite the primary category being, by their own designation “kids. 

Figure 3.4

Concerns 

These findings lead to three concerns.  

  1. First and foremost is the concern over the presence of behavioral ads—particularly location-based—in the CoolMathGames.com website, a service that is recommended to students in elementary and middle schools around the country. In the ISL 2022 EdTech benchmark, 21 elementary or middle schools (with students as young as pre-K) recommended CoolMathGames.com (see Table 8.1)    
  2. Second, how much responsibility does Playwire have in this scenario? It’s clear in their pre_content config file that the site is for “kids” but the COPPA flag is set to false. Moreover, Playwire has the role of ManagerDomain for the ads.txt file. What is their responsibility in this case? 
  3. Finally, ISL questions whether ad platforms like Playwire can realistically be COPPA Safe Harbor Certified—at least in the way that it is currently being performed. COPPA certification for ad platforms requires monitoring of the deployed configuration, and that does not appear to be happening right now. ISL was able to have a discussion with kidSAFE regarding these concerns, and the issue appears to be systemic in nature, i.e. with the nature of the Safe Harbor certification program requirements as prescribed by COPPA and the FTC. 

5  ISL’s Responsible Disclosures 

ISL undertook the following efforts to make CoolMath.com aware of the concerns stated in this report:

  1. December 12, 2023: ISL sends first email sent to CoolMath.com. 
  2. December 19, 2023: ISL receives response from Sandbox Group, including a number of questions. 
  3. December 22, 2023: ISL sends response with detailed data/files from research and answers to questions. No response was received. 
  4. January 16, 2024: ISL sends an email seeking a response. (None received.) 
  5. February 22, 2024: ISL sends another email seeking a response. (None received.)  

ISL also sent emails to Playwire (legal@playwire.com) on December 12, 2023 and twice on January 16, 2024, all times receiving an automated and unhelpful response. 

6  Call to Action for CoolMath.com LLC, Sandbox Group, and Playwire

Once again, ISL requests that CoolMath.com LLC and Sandbox Group to remove behavioral advertising from CoolMathGames.com. In particular: 

  1. Inform the ad networks and exchanges you partner with that this site is child-directed and should therefore receive COPPA protections, and  
  2. Immediately change the CoolMathGames ads.txt and app-ads.txt files for the website and the two mobile apps to the appropriate “Playwire COPPA Ads.txt” files.  

ISL also requests that Playwire take a more active role in providing the right ads.txt files for child-directed sites.  

7  Safety Suggestions

ISL suggests that schools refer students to CoolMath4kids.com instead of CoolMathGames.com until behavioral advertising is removed from the latter site.

8  References

The following table 8.1 lists the schools from the ISL 2022 K-12 EdTech Safety Benchmark found to be recommending or requiring the use of CoolMathGames to students. 

Table 8.1 Schools in 2022 EdTech Benchmark Recommending CoolMathGames

 

About ISL Responsible Disclosures 

As a non-profit, independent product safety watchdog organization, Internet Safety Labs (ISL) is dedicated to catalyzing software changes to keep people safer while using technology. To this end, we sometimes discover serious safety risks as we conduct our ongoing research; we aren’t looking for these, but we happen upon them (such was the case with the dangling domain that Apple ultimately purchased, keeping potentially millions of people safe). 

When we find these risks, our practice is to contact the developer and request that they make a specific change. We call this a responsible disclosure of a safety risk in the software, similar to the responsible disclosure of a security vulnerability. The best outcome is that the developer makes the change, and we then commend their commitment to keeping their users safe.  

No organization is exempt from our safety scrutiny—whether it’s a commercial entity, a non-profit organization, or government organization. Our responsible disclosures of safety risks are offered in a constructive and supportive spirit, working from an assumption that the organization may not be aware of the risk.